The History and Evolution of Cyber Strategy

>> Jacquelyn Schneider: So those are the main external threats, and those external threats are proliferating and also morphing, so how has US cyber strategy dealt with these problems over time? So I wanna take us back ten years, and we'll start in the mid 2000s to the early 2010s. And I would call these the golden digital years, for those of you who are a bit older, you remember these were years of extreme optimism.

The internet was new, the internet was going to democratize. It was going to bring information to the masses in a way that would lift up the people, that would increase the chance that democracy succeeded and autocracies failed. So a really great example here was the Arab Spring in which we saw social media being used to depose autocratic regimes.

And I think if you look at the writing at that time period, you really get this beautiful sense of hope. So I have a quote here from the 2011 International Strategy for Cyberspace, which is one of the first kind of written cyber strategies that came out during the Obama administration.

And it says, the digital world is no longer a lawless frontier, nor the province of a small elite. It's a place where the norms of responsible, just and peaceful conduct among states and peoples have begun to take hold. It is one of the finest examples of a community of self-organizing, a civil society, academia, the private sector and governments work together democratically to ensure its effective management.

So it was like this beautiful moment. And at the time, the UN was convening this group of governmental experts that were getting together. And they were talking about norms and cyberspace and really excited about what this was going to do for the developing world. At the same time, the US was recognizing that there were some potential kind of bad sides to cyber.

And so you saw them stand up cyber command not really as a command, but as a subordinate command underneath strategic command at the same time. So you had two things going on in the US. You had folks that were looking at cyber and thinking, this is really good for the world, and you had kind of a small minority in the Defense Department who was looking at this and saying.

This doesn't feel good, this could have big strategic nuclear implications. Well, the second half of the Obama administration is what I would call the sobering cyber reality. So we quickly realized that all this, hope and optimism from the Internet, all this belief that it would turn into norms of openness and responsibility, actually was not turning out as they had hoped.

Instead, we saw the Sony attack, we saw the Chinese breach of the office of Personnel management, we saw increasingly sophisticated campaigns coming out of Iran and North Korea. And it all culminates in the election in 2016, where you see not only the stealing of cyber information in order to manipulate public opinion.

But also the weaponized use of information in order to sow, discord and affect domestic policy. So the Obama administration goes from hope and optimism to 2016, and they really kind of don't know how they got where they are. And so you see that they feel an extraordinary sense of frustration, and this starts to manifest within the strategic documents that you see coming out starting in 2015.

So really towards the end of the Obama administration. So at the same time that at first they were feeling this optimism, and then they realized, my goodness, the cyber threat is proliferating. They are getting down to figuring out who is supposed to do what in the US government.

We talked about implementation of cyber strategy, this is the infamous cyber bubble chart. So during the Obama administration, they took on a large bit of responsibility for figuring out who in the executive would do what, when it came to cyberspace. None of that ever ended up in an actual strategy, but this slide went through over 500 iterations between the interagencies.

So this is a grand example of government compromise, bureaucratic efforts, and what it did is it laid out who's supposed to do what. So you can see there are three main agencies here, the Department of Justice and FBI, which they listed as the lead for investigation and enforcement.

So what they're saying here is DOJ, domestic stuff, criminal stuff, that's you. Then DHS becomes the lead for protection, and this was actually a big shift for the us government because the Department of Homeland Security is a relatively new organization. It does not have the bureaucratic power that the Department of Defense has.

But what the Obama administration was doing here was it was saying, hey, we think the cyber threat and the cyber problem is primarily a domestic problem. And we are gonna put Department of Homeland Security in charge of it. Department of Defense actually has a very, very small role in this bubble chart.

It becomes the lead for national defense, but throughout the Obama administration, there's a real question of, like, what exactly does national defense and cyberspace mean? So you can see there, it says, defend the nation from attack, but no authorities at this point are granted to the Department of Defense to actually conduct any offensive cyber operations without explicit presidential approval.

So they had a very lengthy presidential approval process, anytime that any kind of cyber attack was going to occur, only the DoD could do it. And it had to go through an interagency approval process where the DOJ, DHS, the Department of State, as well as the executive and the national security council were able to vote whether that attack should occur or not.

So while attacks, cyber attacks against the United States were proliferating and the US was building its capabilities, basically the Department of Defense was on the sidelines. So in recent congressional testimony, General Nakasone, who is in charge of cyber command, was asked, hey, do you know of any cyber attacks occurred underneath this presidential management authority?

He said, no. So the bottom line was, nothing could get through this process. So what we had in the latter end of the Obama administration is a focus on Department of Homeland Security, DOJ, and FBI. A focus on the State Department to propagate those norms that they still really believed in, and actually, you start, you even see them in the Trump strategies.

So they're still believing in those norms, and they believe the State Department is the primary way to propagate them. And then putting the Department of Defense on the side, and the idea there was, we really was a concern that the Department of Defense would increase the risk of escalation.

And so they were gonna be focused on defense and deterrence. We'll talk more about those assumptions about deterrence, but in order to do that, what the Obama administration was really saying was, be prepared, respond to crises, but do not use offensive cyber. So this kind of transitions to the Trump administration, so everything's kind of coming to a head at the end of the Obama administration.

They've built these different lines of effort in the road, everyone has a basic understanding of what they're supposed to do. Cyber threats are proliferating, there's this big acme at the end with the election interference. And so here we come, here comes the Trump administration in the 2018 strategy that they build out.

So Obama administration is a focus on deterrence and be prepared, not a lot of offensive or preemptive or active measures. Their efforts are developing norms without real punishment mechanisms, they had limited authorities for cyber operations, and most of this is because of concerns about escalation. They saw high uncertainty in cyberspace, and they felt like the best way to deal with that was to decrease the chance the Department of Defense could get involved.

Trump administration, on the other hand, was much more risk accepted. So they created a new DoD cyber strategy in 2018, cyber command came out with a strategic vision, eventually, the National Security Council wrote a strategy, too. It went the wrong way, so they didn't all talk to each other, that was a problem.

But the idea was that the Department of Defense was gonna be granted new authorities. They changed the way in which the attacks were approved and the Department of Defense was supposed to defend forward and persistently engage. So at the same time that these strategies were proliferated, there was a bit of a revolving door within the National Security Council about who is in charge of cyber.

And a bit of a neglect of what was happening in the Department of Defense and the Department of Homeland Security's new organization called CISA. Which dealt with most of the threats that were going on domestically. You had extremely charismatic figures at both CISA and the Department of Defense and General Nakasone, and so what you saw was actually kind of a really interesting bottom up experimentation.

So you saw a lot of activity occurring that was not occurring in the Obama administration without a lot of oversight. Which actually gave room for a lot of experimentation and learning during the Trump administration. So now we've moved into the Biden administration, and when I gave this talk before Ukraine, we would talk, and I'll talk a little bit about deterrence and norms and what we've learned.

And I would say, hey, what we've learned is that escalation is not as likely to occur in cyberspace, that states can do this tit for tat where they're combating with each other in cyberspace. And there's limited risk of escalation to violent conflict. I would say, hey, there are new norms about what is appropriate and not appropriate in cyberspace.

But we've learned a little bit about Ukraine, and some of it is validated what I said before, and some of it, I think, has let open new questions. So let me kind of start with what we've learned from what has occurred and is occurring in Ukraine. So I think the number one thing that we learned was that cyber defense and information sharing matters.

So all the boring, wonky stuff about how you build cooperation and sharing agreements with other states and with private sector. All of that stuff was really important when it came to building, just doing basic patching. And that basic patching and, like, basic defensive maneuvers really decreased the effectiveness of Russian attacks, especially in those first few weeks leading up to the initial advance into Ukraine.

So previous strategies defense is like a very small kind of throwaway part of the strategy, but the hope is that future strategies actually talk about what cyber defense means and the implementation. The other thing that we see from Ukraine is that cyber, while it's been talked about as Armageddon, Pearl Harbor, 911.

And really framed at this, like, militarized dispute, is really more like an intelligence intelligence contest. So it's about who has the right information, who can guard their information, who can trust their information? And the key to winning this intelligence contest is not deterrence or making sure that none of these attacks ever occur.

But instead in having information structures that are resilient, that are able to take an attack and able to survive. So part of why Ukraine was able to continue its operations despite significant Russian cyberattacks was that they actually moved to a hybrid cloud system right prior to the Russian attack.

And by moving to a hybrid cloud, they were able to generate more resilience. So when they had an attack against their satellite communications with Viasat, which actually had a pretty significant impact on their ability to command and control the lower echelons. They quickly turned to other measures of communication.

Elon Musk held Starlink and were able to keep their cyber, their information capabilities. So resilience is extremely important and has really been missing from all the previous us cyber strategies. The other thing is that us has focused a lot about how cyber can decrease uncertainty, and so they've devoted a lot of resources into making cyber operations that create effects like bombs.

But what we see is that where cyber really matters is increasing the fog of war, how it increases uncertainty. And that's a very different way of thinking about building weapons and capabilities than the US has worked on in the past. The other thing I'm gonna assert here, and that we see in Ukraine, is that while there's been a lot of fear about cyber and escalation, you see it throughout the Obama administration.

I think Ukraine shows that cyber operations are unlikely to increase violence or create incentives to start a war. Wars happen for political and human reasons, and cyber operations can shape who wins and loses in the outcomes of these wars, but they're unlikely to actually start violence. And the final thing, which I think is almost pointless to say at this point, is that information campaigns matter.

And I know this sounds like a throwaway statement, but information campaigns actually didn't factor in almost any bit of the last ten years of US cyber strategy.